Cybersecurity Professional Standards

Tools & Methods

The latest NCSC Cyber Series podcast gathers three voices who know the battlefield from different angles:

Tracey Jones, Senior Analyst at the Bank of England; Gian Andrea Padovani, Senior Manager in the PRA’s Cyber-Resilience team; and Chris Ensor, Deputy Director for Cyber Growth at the NCSC. Their discussion turns a spotlight on an issue that rarely makes headlines yet shapes every breach report we read: professional standards.

The Credibility Gap

Finance lives on confidence. When penetration testers walk into a systemic bank or when threat-intelligence teams map criminal campaigns, boards and regulators must trust the people, not just the tools. That trust now depends on well-defined accreditation schemes—CBEST in the UK finance sector is one example—where only practitioners holding the highest recognised certifications can touch live systems. Ensor argues that, without such benchmarks, even the best framework slides into “guesswork hiring” and inconsistent risk judgements.

Enter the UK Cyber Security Council

Ensor outlines a three-part mandate for the fledgling Council: spell out what “good” looks like for each specialism, audit the bodies that award qualifications, and maintain a public register of professionals who meet four ascending levels of competence. It is a model borrowed from medicine and law, adjusted for a discipline whose job titles still vary wildly between companies.

More Than Tech Skills

Jones and Padovani insist that the next generation must pair deep technical insight with something harder to teach: translation. Cyber threats are now boardroom risks, so packet captures and CVE lists have to be recast as business narratives. The mythical “unicorn”—the engineer who codes exploits at night and briefs CEOs at dawn—may remain rare, but multi-disciplinary teams can cover the gap if each member’s specialism is clear.

How Finance Is Leading

Within the Bank of England, cross-market groups such as CMORG convene CISOs to trade playbooks on issues like AI governance and software-supply-chain security. These sessions turn regulator guidance (for instance, the NCSC’s recent software-security principles) into practical checklists, then recycle lessons back into sector-wide guidance. The loop works only because participants share a baseline language of standards and certifications; without it, meetings would stall in definitional debates.

Bridging the Skills Shortage

All three guests converge on one plea: industry must take ownership of entry-level experience. Certifications prove knowledge, not judgement under pressure. Much as law firms nurture trainee solicitors, security consultancies and in-house teams have to invest in apprenticeships and rotations, or the UK skills gap will persist no matter how tidy the standards framework becomes.

Reasons for Optimism

Jones sees hope in culture: cybersecurity has moved from “IT problem” to board-level priority. Padovani welcomes growing recognition of cyber roles by both government and private sector. Ensor bets on the Council to provide the cohesion the field lacks—and urges companies and regulators alike to require its standards so that demand, as well as supply, drives professionalisation.

Bottom line: if boards want fewer nasty surprises and practitioners want clearer career maps, backing a single, transparent set of professional standards is the fastest lever both groups can pull.